Hi all,
I have posted a similar question before, but I think I was not specific enough.
What I mean is, when getting events as a data input from Checkpoint Devices, include by using LEA_OPSEC, all of these events are listed and shown as one host and source. In the events listing I see multiple different origins of the events, so my question is:
Is there a possibility to filter these different origins, before indexing them, to display them by as source or host related to their origin?
Hope that is a bit clearer 🙂
Cheers,
Christian
Christian,
You can add a "host = " line in your /opt/splunk/etc/system/local/inputs.conf file. It would look something like this:
[script:/opt/splunk/etc/apps/lea-loggrabber-xxx_xxx/bin/lea-loggrabber.sh]
host = xxx_xxx
interval = 60
sourcetype = opsec
disabled = false
After making the change, stop/start splunk and you should see the host now showing up instead of the name of the box this is configured on.
-Matt
Christian,
You can add a "host = " line in your /opt/splunk/etc/system/local/inputs.conf file. It would look something like this:
[script:/opt/splunk/etc/apps/lea-loggrabber-xxx_xxx/bin/lea-loggrabber.sh]
host = xxx_xxx
interval = 60
sourcetype = opsec
disabled = false
After making the change, stop/start splunk and you should see the host now showing up instead of the name of the box this is configured on.
-Matt
Thanks for your reply!